BSNL is inserting ads in websites, sending their users to malware sites through malware code injection

[airforce]

Again redirection started like pothi said before

 

[pothi]

i heard about alternative dns server, so that if the first dns, or primary dns, is having probem, then the other will give the internet access. What is back up dns server. Is it alternative dns like the one you mention.

Backup DNS = alternate DNS. Just different terms.

Initially, there was OpenDNS that was very famous and was recommended by almost everyone on the internet. OpenDNS is still available. Then, when Google launched their public DNS service (via 8.8.8.8 and other IPs), people switched to it almost immediately and started recommending to everyone.

These days, we have better alternatives than Google DNS, such as Quad9, Cloudflare's 1.1.1.1 service, or our own private DNS (like I mentioned earlier and mentioned in OP). Since, DNS is one of the important parts of the internet, more service providers want to have a pie to understand users better. Here's a nice comparison of most popular public DNS services... Public recursive name server - Wikipedia . I strongly recommend Quad9 these days due to its secure nature, compared to Google public DNS.

 

[Vishal05]

Why is everyone trying to find workaround this issue instead of going after BSNL and asking them to solve this abomination?
And who knows what kind of our user information is being sold out there.

Considering they are straight up injecting ads into our browsers needless to say our privacy does not matter anymore.

Well, simply use a proper VPN (Paid ones ofcourse).

 

[venkatachar]

As updated in one of my previous reply, I have reached out to the BSNL tech team and they have provided me with a contact of the backend team. I have explained the issue to them and provided all the details.
If you folks have any technical details to share which would help resolve this issue, let me know. I will update the BSNL team working on this issue.

 

[SBP]

I can confirm the same issues with my connection. Ads with redirection started coming up in my mac and android phone when I connected to BSNL.
- My connection is BSNL Kerala circle
- OS is Mac, browser is firefox with ublock origin, https everywhere, privacy badger installed
- Pop-up ads always happens while clicking on legitimate http sites but happen randomly and unpredictably
- redirects go to the domains naganodigei and wreck-track dot info
- malwarebytes is not able to pick up any abnormal activity
- So far, there is no issue when using tor browser or VPN (protonVPN free)

I have a question - how dangerous is this malware? Is it safe to use internet banking on the affected computer/browser ?

 

[pothi]

We are not aware of how dangerous it is. Because, no one would have clicked the links that pop-up window brings in. However, it *may* not affect the computer or browser if you don't click anything in the actual redirected website (such as wreck-track dot info). I close the browser window completely (all the tabs / windows), once I see the pop-up window. I configured my browsers in such as way that it actually clears all the new cookies and sessions once I close the browser, except for the whitelisted domains such as google.com, google.co.in, gmail.com, etc. But, it may not be the case for normal people who aren't aware of cookies or sessions and how to configure the browsers to clear cookies automatically upon exit.

Basically, it is safe to use internet banking or something similar as long as you use a private window or incognito window. At least, I haven't experienced any issues using internet banking or doing any other financial transactions online.

 

[SBP]

I don't know whether this is related to the issue being discussed or not.

In my mobile having prepaid BSNL, I get pop ups that looks like this (BSNL2 — Postimage.org).

Are they also malware? Or a feature? How do I disable such pop ups?

 

[davidsekar]

Hi, David , i have read your links, the finding of injection and the solultion.
I have some doubts , please clarify.
Did you check the speedtest.net , with your remedy removed. I mean, not using the solultion.
My website redirects to first, naganoadigei.com and then to flipkart site. What is this naganoadigei is doing in the speed test net site? Checked that it is having its place in netherlands.
Please check this site now and then give your comment.
adblock is good , but it is also that much not safe and it automatically installs something on its own.
Your script description is fantastic and do you think , that you could add rules after rules to from time to time.
I talked with a staff concerning the security of bsnl, and she wants me to send the link . I asked admin permission , because so much has participated in this thread with their comments and replies.
I told the staff, that i will give the link , if the admin gives the permission.
Deep analysis has been done by you to find the scripts and solution.
how we do conclude that the malware redirects are from BSNL if they have not seen this thread and analyse.
One such example has been posted my post 105, wherein , i have explained the vulnerability the avast wifi scan gave me.
I contacted then bsnl staff, and they said, the suspicious site has been redirected to bsnl for security purpose and no cause of anything.
Please check the speed test at your end, by disabling your solution and then see.
Most of the http redirects to naganoadigei.com, which i have been redirecting to flilpkart , java install, adobe flash install updates
I am not a tech savvy person , but solution is for all bsnl users. Thanks

Hi Rajujayaraman,
Visit a HTTP page in Chrome, then open developer tools and go through the Scripts/Sources tab. You will notice that there are scripts served from BSNL IP address. These scripts are the initially injected which then randomly uses an adservice and adds additional scripts to either open popup or popunder or redirects. Redirects goes through different domains naganoadigei.com, decademical.com domain which were setup before 6 months etc.,

You can see the decoded file over here
Source

It is full of different ways to serve ads from different AD Servers.

 

[pothi]

I don't know whether this is related to the issue being discussed or not.

In my mobile having prepaid BSNL, I get pop ups that looks like this (BSNL2 — Postimage.org).

Are they also malware? Or a feature? How do I disable such pop ups?

No. This is not a malware. Not a feature either.

I just started getting this kind of popups, only today. My guess is that these are service messages so can't be disabled. Try posting in a different forum. This forum belongs to BSNL broadband.

 

[rajujayaraman]

Him Pothi, did you check what is thiis naganoadigei.com doing . I and one more reported this naganodigei.com which is not originated in india doing the redirects.
I sincerely feel that BSNL redirects are because of weak or compromized bsnl servers or connected servers.
i checked the router and the routercheck programs. All are showing bsnl servers.
Servers onlly give internet access and if they are compromized, then you get all sorts of attacks.
Is there any common fix for http rediects irrespective of the browsers we use.